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Abstract. This short note investigates the effects of using expansions to 
the base of —2. The main applications we have in mind are cryptographic 
protocols, where the crucial operation is computation of scalar multiples. 
For the recently proposed groups arising from Picard curves this leads 
to a saving of at least 7% for the computation of an m-fold. For more 
general non-hyperelliptic genus 3 curves we expect a larger speed-up. 
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1 Introduction 

Recently, groups associated to elliptic and hyperelliptic curves received a 
lot of attention for cryptographic applications, and further kinds of curves 
were proposed and their arithmetic studied intensively. They allow smaller 
operands compared to RSA and DL in finite fields making them attractive 
for restricted devices. The performance on such small units is good [8]. 
More general curves were suggested and the group operations optimized 
for cryptographic applications. 

To compute scalar multiples mD, binary expansions of m are used and the 
computation of mD is split up as a sequence of additions and doublings. 
To achieve faster computations one uses windowing methods and signed 
representations (for a broad overview see Knuth [4]). 
Our idea speeds up scalar multiplication in groups for which computing 
—2D and —{D\ + D2) is faster than computing 2D and D\ +D2, respec- 
tively. For elliptic and hyperelliptic curves the negative of an element can 
be obtained almost for free. Hence, these groups will most probably not 
benefit from our new idea. But, the situation is different for Picard curves 
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or more general genus 3 quartic curves: using the — 2-adic expansion in- 
stead of a 2-adic we reduce the complexity by at least 7%. 
Of course, our considerations are not restricted to cryptography but allow 
speeding up scalar multiplication in groups in which "adding up to the 
neutral element" is easier computed than addition and so they could be 
of use in computer algebra systems, too. 

In this note we first describe the idea of —2-adic expansions and show 
how to apply them. Then we sketch the applications we have in mind, 
and finally show the time saving for Picard curves. 

To fix notation, let G be a finite abelian group of order i and let D 
be a generator of G. Furthermore, we assume that computing —2D or 
— (D1 + D2) is actually faster than computing 2D or D1 + D2 respectively. 



2 —2-adic Expansions 

Assume that we want to compute mD, m < t and put l(m) the length 
and w(m) the number of nonzero bits of the used expansion of m. Since 
we need both D and — D, we can allow signed digit representations. 
If l(m) + w(m) is even we start with D, otherwise with —D. While the 
doubling is always replaced by the computation of — 2-times the interme- 
diate result E we need to pay a little more attention on how to perform 
the former additions and subtractions. 



Algorithm 1 

INPUT: m E N, m = EEl?" 1 ™* 2 ** m i G l ^ 1 }; D G G 
OUTPUT: E := mD 

1. precompute and store —D 

2. compute I (m),w(m); 

3. put E := (— 1)^ D, where f := l(m) + w(m) mod 2; 
4- for i = l(m) —2 to do 

(a) E := -2(E); 

(b) f == 1 - f; 

(c) if mi / 

%. E := -(E + {-l)frmD); 
ii. f := 1 - /: 
5. output(E); 

The correctness follows from the fact that l(m) + w(m) — 2 is the total 
number of minus signs in front of the initial E. During the process / 
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keeps track of the parity of the number of sign changes. In step 4( c )h no 
multiplication is required. / assumes only values in {0, 1} and rrii £ {ill- 
Using this idea introduces only little bookkeeping overhead, namely the 
additional variable /. So such a system is really practicable - and useful 
if the operations involving the negative signs are faster. 

Remarks: 

1. If the expansion of m is not computed beforehand, one can always 
start with E = D, f = 0, irrespective of the parity of l(m)+w(m). The 
loop 4- is performed as above. Before Step 5. one checks whether / = 
1, in which case one outputs — E instead. So one avoids precomputing 
the expansion, at the price of a second negation with probability 1/2. 

2. If only for one of addition or doubling the negative is faster, similar 
considerations hold if one only replaces that operation. 

3. Of course the method can be combined with signed sliding windowing 
methods. In the applications we have in mind rD and —rD can be 
computed with only a few more operations than rD alone. 

3 Applications 

In this section we need to state some details from mathematics to show 
that there actually are applications of our idea. For an introduction to 
hyper elliptic curves see [6]. The following holds for arbitrary curves. 
Let C be a curve of genus g. The group used for cryptographic applications 
is a subgroup of the divisor class group of C: we briefly recall its main 
properties. Let G C be fixed. A divisor is a formal sum of points. We 
are interested in the degree zero divisors given by sums 



The principal divisors are the divisors of functions. The divisor class group 
is the group of the degree zero divisors modulo the principal ones. In each 
divisor class there exists a unique element (1) with n < g minimal. 

To add two classes C\, C2 one formally adds the representing divisors: D\ + 
D2 — (n\ + ri2)Poo- Then one determines a function / passing through the 
points on D\ + D2 with poles only in kPoo (k minimal) with multiplicities 
taken into account. Let D3 be the divisor represented by the points of 
intersection of / with the curve which are not in D\ and D2. Put = 



n 




(1) 
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k — n\—n2 and let C3 be the class of D3 — nzPoo ■ Since D\ + D2 + D3 — kPoo 
add up to a principal divisor we get c\ + C2 + C3 = 0. 
Usually one proceeds to find the negation C4 = — C3 to get c\ + C2 = C4. 
Our new proposal allows to skip this last step. Doublings just work the 
same with the function passing through the points of the representing 
divisor with doubled multiplicity. 

For hyperelliptic curves, taking the negative is very simple. The formulae 
for genus 2 and 3 [5,7] reveal that computing —2D instead of 2D saves 
only some additions in the underlying field. Therefore, we do not expect 
the — 2-adic expansion to lead to a saving. 

But the situation is completely different for non-hyperelliptic curves. For 
char(F 9 ) / 3 a Picard curve can be given by: 

zy 3 = z 4 f 4 (x/z) , f A € F q [x] 

where f'4 is monic, square-free and of degree 4. 

The arithmetic on Picard curves is detailed in [2] (see also [1]). An addi- 
tion needs 144M, 12S, and 21 and a doubling 158M, 16S, and 21 in the 
generic case. Applying Algorithm 1 reduces the costs to 133M, 9S, 21 or 
147M, 13S, 21 respectively. Some field additions are saved as well. Thus, 
here the saving is at least 7.5% or 7%, respectively, assuming a ratio of 
10 : 1 for inversions and 2 : 3 for squarings in relation to multiplications. 
An ordinary genus 3 quartic over F q is given by a projective equation: 

(aix 2 + a 2 y 2 + a 3 z 2 + a^xy + a 5 xz + a%yzf = l(x, y, z)xyz, 

where / G W q [x,y,z] is linear and a« G F q . On these curves computing 
the negation is even more complicated than on Picard curves (see [3]). 
Therefore, the saving due to —2-adic expansions is more dramatic. 
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